IoTeX offers cross-bridge hackers 10% bounty if they return $4.4 million within 48 hours

• IoTeX is offering a 10% white-hat bounty, about $440,000, and a promise not to pursue legal action if hackers return roughly $4.4 million stolen from its ioTube cross-chain bridge within 48 hours.
• The Feb. 21 exploit stemmed from a compromised validator owner private key on the Ethereum side of the ioTube bridge, which IoTeX and outside experts describe as an operational security failure rather than a flaw in the Layer 1 blockchain or its smart contracts.
• IoTeX traced the stolen funds across chains, identified bitcoin addresses holding about 66.6 BTC, and is rolling out a mainnet upgrade with a default blacklist of malicious addresses, but experts warn that assets already swapped and bridged may be difficult or unlikely to recover.

IoTeX, a blockchain project focused on Internet-of-Things devices, offered a 10% white-hat bounty to the hacker or hackers who exploited a private key on its cross-chain bridge ioTube, siphoning millions of dollars, in exchange for the voluntary return of funds within 48 hours.

With this move, IoTeX is offering the $440,000 if the malicious actor or actors return roughly $4.4 million they stole, according to an IoTeX X post, to which IoTeX co-founder and CEO Raullen Chai pointed “as a source of truth” on Monday.

A number of crypto projects have offered similar 10% bounties to hackers after being breached. Hackers sometime return funds in exchange for this bounty.

Chai told CoinDesk that the team sent an onchain message offering not to pursue legal action or share identifying information with law enforcement if the remaining funds are returned.

“This is regarding the ioTube bridge exploit on Feb. 21, 2026,” Chai said in the message. “All fund movements across Ethereum, IoTeX, and bitcoin have been fully traced.”

The message states that exchange deposits have been flagged and frozen and offers a 10% bounty for the return of remaining funds.

Chai also said IoTeX is rolling out a new chain version, Mainnet v2.3.4, requiring node operators to upgrade. The update includes a default blacklist of malicious externally owned account (EOA) addresses.

“This blacklist contains a list of malicious or problematic EOA addresses that will be filtered by the node,” Chai said.

The offer comes after a Feb. 21 exploit in which a compromised validator owner private key enabled unauthorized control over ioTube’s bridge contracts.

IoTeX said the incident is “under control,” saying that its Layer 1 blockchain was not affected and that the breach was isolated to the Ethereum-side infrastructure of the bridge.

The IOTX token fell roughly 22% following the exploit, dropping from $0.0054 to below $0.0042 before partially rebounding.

Cross-chain bridges have been one of crypto’s main failure points, with several high-profile exploits in recent years. According to industry reports, more than $3.2 billion has been lost due to cross-chain bridge hacks, making them a prime target for advanced threat actors.

Responsibility and key control

IoTeX framed the exploit as an operational issue specific to the bridge rather than a failure of its Layer 1 network.

“IoTube is IoTeX’s own cross-chain bridge built and maintained by their team,” Nick Motz, CEO of ORQO Group and CIO of Soil, told CoinDesk. “The breach came down to a compromised validator owner private key on the Ethereum side, which is fundamentally an operational security failure, not a smart contract vulnerability discovered by an outside actor.”

Motz agreed that IoTeX’s Layer 1 was not compromised but said user funds were entrusted specifically to the bridge.

“When you build and operate the bridge infrastructure and the key management is what fails, it’s difficult to separate yourself from that outcome,” he said.

Nanak Nihal Khalsa, co-founder of human.tech, said responsibility in crypto often comes down to key custody.

“Yes, whoever holds the private key is responsible for securing it,” Khalsa said. “Is that a reasonable responsibility? It’s hard to say. But that’s how the industry works right now.”

He added that liability norms remain unsettled compared to traditional finance and called for stronger wallet and multisig setups to reduce similar risks.

The estimates diverge

On-chain analysis by security firm PeckShield estimated more than $8 million worth of assets were affected, saying the attacker swapped funds into ether (ETH) and began bridging them to bitcoin BTC$64,984.26 via THORChain.

“The hacker has swapped the stolen funds to $ETH and has started bridging them to #BTC via #Thorchain,” the firm wrote.

Another onchain investigator, Specter, said on X that “the private key of @iotex_io may have been compromised,” resulting in an estimated $4.3 million loss.

“Once assets are routed through THORChain […] recovery becomes extremely difficult,” Motz said.

IoTeX said it has identified four bitcoin addresses holding 66.78 BTC worth roughly $4.3 million at current prices and that the addresses are being monitored in cooperation with exchanges.

A CoinDesk review of those addresses on Feb. 23 confirmed they held roughly 66.6 BTC.

IoTeX did not immediately respond to CoinDesk’s request for comment.

“Containment is not the same as recovery,” he added. “The assets with actual market value were swapped and bridged. Those are, in my assessment, unlikely to be recovered.”

Khalsa similarly cautioned that recovery prospects are uncertain. “It’s hard to predict how much, if any, can be recovered,” he said.

IoTeX revised its figure upward to approximately $4.3 million, reflecting the direct asset drain but excluding minted tokens. Motz said broader estimates may better capture the severity of the breach.

“Private key compromise rather than smart contract bugs is emerging as a dominant attack vector,” Motz said, noting that such incidents target operational security rather than audited code.

Before offering the 10% bounty, IoTeX said a compensation plan would be in place within the next 48 hours.

UPDATE (Feb. 23, 2026, 23:21 UTC): Adds context on bounties offered after hacks.

• NEAR is launching Near.com, a new crypto wallet and consumer app that aims to make blockchain technology feel as simple as using a traditional finance app, while positioning itself at the intersection of crypto and artificial intelligence (AI).
• The product was unveiled by NEAR co-founder Illia Polosukhin, who described it as part of a broader shift toward what he calls the “agentic era,” a future where AI systems don’t just provide answers, but take action on behalf of users.
• At its core, Near.com is designed to remove much of the friction that has long made crypto confusing for everyday users. Instead of worrying about gas fees, private keys or switching between different blockchains, users can manage their assets in one place.

Disclosure & Polices: CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of Bullish (NYSE:BLSH), an institutionally focused global digital asset platform that provides market infrastructure and information services. Bullish owns and invests in digital asset businesses and digital assets and CoinDesk employees, including journalists, may receive Bullish equity-based compensation.